From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 May 2022 15:58:45 +0000 (+0100)
Subject: Remove some use of SSL object from record layer
X-Git-Tag: openssl-3.2.0-alpha1~2237
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9cd9e0978b237ebb6cc4110532d95903b1c6bf5c;p=thirdparty%2Fopenssl.git

Remove some use of SSL object from record layer

Remove SSL_IS_TLS13() and hello_retry_request

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)
---

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 703a9e0715e..681a830eb9f 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -616,7 +616,8 @@ static int tls_get_more_records(OSSL_RECORD_LAYER *rl,
 
     if (num_recs == 1
             && thisrr->type == SSL3_RT_CHANGE_CIPHER_SPEC
-            && (SSL_CONNECTION_IS_TLS13(s) || s->hello_retry_request != SSL_HRR_NONE)
+               /* The following can happen in tlsany_meth after HRR */
+            && rl->version == TLS1_3_VERSION
             && rl->is_first_handshake) {
         /*
          * CCS messages must be exactly 1 byte long, containing the value 0x01
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 74ecbe527a0..4f98e6de091 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1769,6 +1769,7 @@ int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
 
     /* We just set it here. We validate it in ssl_choose_client_version */
     s->version = version;
+    s->rrlmethod->set_protocol_version(s->rrl, version);
 
     return 1;
 }
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 2f2043671aa..1c7d75c10cc 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1416,6 +1416,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
             goto err;
         }
         s->hello_retry_request = SSL_HRR_PENDING;
+        /* Tell the record layer that we know we're going to get TLSv1.3 */
+        s->rrlmethod->set_protocol_version(s->rrl, s->version);
         hrr = 1;
         if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);